On Wed, Dec 18, 2013 at 01:53:56PM +0200, Alexander Binun wrote: > We are trying to monitor the traffic (network packets etc) between VMs in > KVM. We succeeded to get the address of the system call table (see > http://syprog.blogspot.co.il/2011/10/hijack-linux-system-calls-part-iii.html) > and intercept the system calls going through the kernel. > > In such a way we see ALL system calls (including those which were not > initiated from within VMs).
You do not see guest system calls when you hook host system calls. You only see host system calls (including those made by QEMU). > How can we filter out the system calls not related to VMs ? What is your > opinion regarding our approach ? Maybe I'm missing context for this discussion but I wouldn't intercept sytems calls in order to monitor VM network traffic. You can monitor VM traffic using libpcap on the VM's tap interface on the host. If you want fancier deep packet inspection, Open vSwitch offers a flow-based interface so you can monitor just certain conversations. Stefan
